In the ClubCISO Realtime Maturity Survey 2014, 50 senior executives “with responsibility for their organisations' information security” were profiled for their thoughts on everything from reporting lines and breach response to cloud and BYOD adoption, as well as third-party relationships.
But it was on the topic of security awareness training where the results were most concerning, with 21 percent of CISOs saying that they had ‘never' given training and a further 21 percent indicating that they only provided this when new staff joined the company.
A respectable 37 percent said that they carried out training on an annual basis and another 21 percent agreed that this was carried out “frequently, as updates are required”.
“Security awareness training for employees raised security concerns. One-fifth of staff never receive training, and doubts were raised about the quality and effectiveness of the training that was actually given,” reads the report.
“As for measuring effectiveness, participants had concerns particularly about online testing,” the report added, noting uncertainties around how learning is enforced and if the training even took place. As one example, one CISO apparently said: “I know of an example where an executive paid his daughter to do the test for him.”
More than half (52 percent) of the surveyed CISOs admitted that their security awareness training programmes had ‘no measure of effectiveness', while 24 percent said that they relied on online testing. A further 14 percent said that they had an after-training test, while a well-prepared 10 percent professed to measuring incident and support call volumes before and after the training.
At a dinner in central London last week to discuss the findings, one CISO, who wished to remain anonymous, told SCMagazineUK.com how such training was a big topic of conversation at his telecommunications company.
“I think people are not aware what they're doing in your environment…users are not conscious about security,” he said.
David Prince, cyber security director at reputation defence firm Schillings, reinforced this view and urged companies to seek out ‘more creative ways' to educate people on their security responsibilities.
“People should be the first line of defence but in reality, they can be the main causes of vulnerability,” said Prince, who added that Schillings has taken to leaving USB keys around and drafting phishing emails to trick people to improve their awareness.
Other CISOs said that the key with training is to relate security to ‘personal circumstance'.
And with 58 percent of CISOs doing training sporadically – either on joining a company or just once a year – Prince said that companies need to move to a more continued deployment. “It is a programme that doesn't end.”
One area for contention has been whether security awareness training is best initiated ‘bottom-up' from the lower rungs of the organisation, or starting from the boardroom with a ‘top-down' approach. Prince said that companies must ‘burn the candles from both ends' but suggested that some companies may be especially concerned with the senior executives that 'don't get cyber security'.
Phil Cracknell, head of security and privacy at independent IT consultancy Company85 – which coordinated the study - stressed that, regardless of how such training starts, there needs to be a continued effort even starting from a very young age.
“We need to saturate this for a couple of years…we need to get this into schools,” said Cracknell